Handling HTML Sent by the User


Here’s another validation consideration: what if users include HTML in the data they’re sending you, and you don’t want them to do so? Such HTML can be malicious, as when it includes JavaScript to redirect the browser to other pages.

There are ways of stripping out unwanted HTML. For example, say that you ask the user for their comments on your Web page, and you want to display those comments-but not any HTML? You could do that in a new page, handlehtml.php. Everything is as you’d expect in this page, except when it is time to display the user’s comments: at that point you can use the PHP strip_tags function to strip any HTML out, as shown here:

 <html>   <head>     <title>Handling HTML</title>   </head>   <body>     <center>       <h1>Handling HTML</h1>       <?         $errors = array();         if(isset($_REQUEST["already_shown"])){           validate_data();           if(count($errors) != 0){             show_errors();             display_welcome();           }           else {             handle_data();           }         }         else {           display_welcome();         }         function validate_data()         {           global $errors;           if($_REQUEST["comments"] == "") {             $errors[] = "<font color='red'>Please enter your " .               "comments</font>";           }         }         function show_errors()         {           global $errors;           foreach ($errors as $err){             echo $err, "<br>";           }         }         function handle_data()         {           echo "Your comments were ";           $text = strip_tags($_REQUEST["comments"]);           echo $text;         }         function display_welcome()         {           echo "<form method='post' action='handlehtml.php'>";           echo "Enter your comments<br>";           echo "<input name='comments' type='text'>";           echo "<br><br>";           echo "<input type='submit' value='Submit'>";           echo "<input type='hidden' name='already_shown'             value='hidden_data'>";           echo "</form>";         }       ?>      </center>    </body> </html>

Now users can enter HTML in their comments, as shown in Figure 14.18.

image from book
Figure 14.18: The handlehtml.php page accepts HTML.

And that HTML is stripped out in the final result, as shown in Figure 14.19.

image from book
Figure 14.19: The HTML has been stripped out.

In fact, there’s another way of handling HTML text: you can use the htmlentities function, which renders HTML harmless. This function “escapes” HTML by converting sensitive characters such as < into &lt;, > into &gt;, and so on, which means that browsers will display characters such as < as <, not as the beginning of a tag.

Presently, the handle_data function looks like this:

 function handle_data() {   echo "Your comments were ";   $text = strip_tags($_REQUEST["comments"]);   echo $text; }

You can use the htmlentities function in place of strip_tags like this:

 function handle_data() {   echo "Your comments were ";   $text = htmlentities($_REQUEST["comments"]);   echo $text; }

Now when the user enters HTML, that HTML will be escaped and displayed out in the final result, as shown in Figure 14.20.

image from book
Figure 14.20: The HTML has been escaped.



Ajax Bible
Ajax Bible
ISBN: 0470102632
EAN: 2147483647
Year: 2004
Pages: 169

Similar book on Amazon
HTML, XHTML, and CSS Bible
HTML, XHTML, and CSS Bible
JavaScript Bible
JavaScript Bible
JavaScript Bible
JavaScript Bible
PHP and MySQL Web Development (4th Edition)
PHP and MySQL Web Development (4th Edition)

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net